Friday, June 17, 2011

Intercepting Blackberry Application Traffic

Intercepting mobile traffic is one of the key areas of mobile application penetration testing and Blackberry mobile applicatiosn are no different. In this post, we will look at methods of intercepting blackberry application traffic.

It is important to note that the standalone blackberry simulator does not offer any mechanism to route HTTP traffic over a web proxy. To use a web proxy for traffic interception, one has to use blackberry device simulator + MDS and email simulator. Assuming you have both installed, following steps will allow you to intercept blackberry web traffic.

The following image shows the rimpublic.property file HTTP HANDLER section for fiddler running on port 8888 on localhost.

Web Proxy Configuration

More details on proxy configuration can be seen here. Once you save these settings and launch MDS simulator, you will be able to monitor, intercept and modify all HTTP traffic. However, we still need to put in some extra work for SSL traffic.

Image shows HTTP traffic captured for google.com

Case 2: Routing HTTPS traffic via web proxy:
The above mentioned configuration was not successful when attempted on SSL traffic. It was time for some workaround and I thought of using a reverse proxy. The idea of using reverse proxy had some limitations but it worked seamlessly and allowed me to intercept SSL traffic for a particular domain. To demonstrate this concept, I will be using Charles Proxy's Reverse Proxy. You can use any reverse proxy of your own choice. Lets configure the Charles proxy now.

Obtain the IP address to which the application/browser talks

Obtain the IP for the target domain. nslookup for mail.google.com revealed four DNS entries(74.125.226.184, 74.125.226.182, 74.125.226.181, 74.125.226.183) and one of them was chosen to be destination for reverse proxy settings. See the screenshots below for Charles Reverse Proxy settings.

In the hosts file make an entry to forward all the target domain address to the IP at which reverse proxy is hosted. In our case, I entered the following for mail.google.com127.0.0.1mail.google.com

20 comments:

Anonymous
said...

Hi i am not able to intercept https request through blackberry simulator.whereas http is working fine.Tried this in Charles as u suggested.What i want is to open a https request through blackberry simulator browser and Charles should be able to intercept.

Hi, I am able to intercept traffic from the browser. Please let me know if you have any idea about how can I intercept traffic from mobile application. I am aware that some configurations need to be done in the config of mds but dont know what are the exact parameters. It would be g8 if you can help me on this....

Cyril,If you know the host to which the mobile application talks and configure simulator and proxy according to that. The steps are no different. However, certain applications that use SSL may have home grown CA and may implement their own certificate validation code. Intercepting traffic in such scenarios is harder.

Hi Grusev, I am trying to intercept HTTP request using blackberry simulator. I am behind the proxy. So, according I have done changes in the rimpublic.property as follows application.handler.http.proxyEnabled = trueapplication.handler.http.proxyHost = proxy IPapplication.handler.http.proxyPort = Proxy portI am able to browse internet through blackberry simulator.But unable to intercept request through burp proxy.Do let me know any changes i need to do ..

Thanks for the reply. Yes, now i am able to intercept blackberry browser traffic. However, I have two more queries. When I tried to access facebook through blackberry emulator, I am getting error like "There is Insufficient Network coverage to process your network. Please try again after". But I can see the full network coverage; I have changed battery properties to full. 2nd one how to intercept traffic for blackberry apps.

@Anonymous, i have used the exact same steps to intercept SSL traffic, not sure what problems are you facing. The apps you are testing may be using custom certificate validation code causing traffic interception to fail.

Hi everyone! I'm traying to intercept http requests first but I can't, I've done the configurations you've said but in my ZAP application I'm not getting anything... am I missing any easy step you have not posted? Thanks in advance.

Videocon Telecom has slashed the National Roaming rates effective 1st May 2015 as per the TRAI’s guidelines.The drop in tariff is to the extent of 75% on Local and National SMS; 40% on Incoming calls; and 23% & 20% on STD & Local calls resp while roaming.